The ubiquity of data breaches can create a misperception that data breach investigations are routine. In reality, these investigations can be surprisingly complex and are unlike other law enforcement investigations. Most significantly, the interests of law enforcement and victim entities are not always aligned, particularly as investigations progress.

In the wake of a data breach, internal company investigations and law enforcement investigations require cooperation between the victim company and government investigators. Those unfamiliar with data breach investigations might fail to appreciate the more difficult nuances of that relationship. Navigating these investigations—and crafting sensible policies surrounding them—requires anticipating friction points and better understanding the interests and agendas of all parties. While this piece focuses primarily on cooperation between U.S. companies and law enforcement, many of the same issues arise in the context of cross-border investigations and are relevant to the broader Mutual Legal Assistance dialogue.

Typically, the law enforcement and company investigation relationships begin in one of two ways: either law enforcement informs the company that they have reason to believe the company is the victim of a data breach, or the company determines it should or must report a breach to law enforcement. Upon discovery, law enforcement informs victim entities of the potential criminal activity involving their systems or networks as a matter of course. Companies, in contrast, face a decision point of whether to inform law enforcement of a breach or proceed only with an internal investigation. This decision is influenced by the company's assessment of its legal obligations and the benefits of law enforcement assistance in relation to the potential risks of alerting law enforcement and losing control of the company’s investigation.

Once an investigation is underway, at first blush, the interests of both company and law enforcement seem to be aligned in investigating and resolving a security incident. However, from the outset there are important differences in the equities, which can negatively impact collaboration and lead to unanticipated consequences.

The first divergence is in the purpose of the investigation. For companies, the primary goal of responding to a cyber attack is often to protect the company, its systems and data, and its customers and employees as quickly as possible. This is essentially a crisis response, because of the potential legal, financial and reputational exposure in a breach of any significance. As such, the priorities are somewhat akin to emergency medicine: Stop the bleeding, fix damage caused and address the problem that contributed to the incident occurring, and finally recover and return to normal function. The company may also want the criminals responsible for the attack to be identified and apprehended, but that is a secondary benefit. The company’s first focus will understandably be on protecting itself, mitigating damage and resuming normal operations.

For law enforcement conducting a criminal investigation following a data breach, on the other hand, the primary purpose is to identify and apprehend the individuals who are responsible. In the context of a national security investigation, goals might also include public safety, preventing infrastructure disruption, and deterrence.

In some ways, investigating cyber crimes is no different than investigating physical crimes. In both scenarios, law enforcement needs to find evidence linking the criminal activity to an individual actor—which usually means a recreation of the crime scene. But digital evidence is more volatile and fleeting than physical evidence, and criminal actors operating in the digital realm have many more technological measures available to them to hide their tracks and anonymize their behavior. For cybercrime incidents, therefore, the difficulty of re-creating the digital crime depends in part on whether the incident is ongoing or detected days, months or even years after it occurred. Often for incidents with a not-insignificant time lag between the occurrence and the detection, there are simply no relevant evidentiary sources available to review.

Most importantly, and in contrast to physical crime investigations, cybercrime investigations depend significantly—sometimes even entirely—on the victim entity’s investigation, including for the gathering and preservation of evidence. While law enforcement has legal authority to collect the relevant evidence, government resources simply cannot be brought to bear on every data breach. Most often law enforcement will rely on the victim entity to preserve the relevant pieces of digital evidence (including logs and systems images) and to initially investigate and determine the nature and scope of the crime. This is the core dynamic of the two parties’ symbiotic relationship.

Despite the divergent purposes, in the early stages of investigation company and law enforcement interests are often closely aligned. Both stakeholders want to understand the nature and scope of the incident. The company is interested in identifying and fixing any damage or vulnerabilities to its systems, while law enforcement is interested in identifying any evidentiary sources that may require an immediate legal process for preservation purposes (e.g., preservation requests for IP addresses). Both sides benefit the other, and themselves, in the initial stage by sharing information and resources. For example, the company may possess important forensics that law enforcement needs, while law enforcement may have threat intelligence on the particular group involved that may be helpful for the company’s investigation.

Additionally, early on, law enforcement requests tend to not be overly burdensome on the company. Law enforcement is often satisfied with assurances from the victim entity that relevant evidence has been preserved after the victim fulfills modest requests for some initial pieces of digital evidence (e.g., IP addresses and malicious files/code linked to the criminal activity). More burdensome requests (e.g., for system images and detailed logging) often come later in law enforcement’s investigation, particularly as it prepares a search warrant or criminal indictment. Increasingly burdensome information requests can become a source of tension.

While there can be tension and misaligned interests, importantly, law enforcement investigations are not about finding fault in the victim entity. Unlike regulatory inquiries, law enforcement investigations do not involve assessing deficiencies in the company’s security that might have been exploited in the attack, at least not in terms of whether such deficiencies may implicate violations of laws or regulation. While companies sometimes hesitate to share information with law enforcement out of fear of exposing their security measures as lacking or inadequate, in practice, law enforcement has no interest in the adequacy of security measures. In fact, the Secret Service’s Electronic Crimes Task Force has publicly stated that “[l]aw enforcement agencies investigate the breach but do not mitigate damages to your system.”

As an investigation progresses, however, the interests of the company and of law enforcement can diverge and even conflict. First, where the company will want to close any security holes immediately, law enforcement may seek to leave vulnerabilities in place if the breach is ongoing, in order to engage in real-time monitoring to identify and collect evidence. Second, where the company will look to resolve its investigation and move on quickly, law enforcement generally proceeds more slowly and will take as much time as is required to develop the necessary evidence. Where substantial foreign evidence, foreign targets, or foreign witnesses are at issue, law enforcement investigations can take years. A company may have concluded its investigation and report and be prepared to move on, where the law enforcement investigation is still only getting started.

The company’s internal forensic report can be a particular and often critical point of tension. From a law enforcement perspective, these reports are immensely valuable—representing the results of weeks or months of forensic investigation and detailing the nature and scope of the intrusion and breach. This report can spare investigators significant time and expense, by offering an account of what occurred and key clues to further investigatory steps. At the same time, companies often have these reports prepared under the direction of legal counsel and in anticipation of potential litigation. The report can contain sensitive information, including the scope of the intrusion, the attack vector, and discovery of security controls that were absent or circumvented. Consequently, companies can be reluctant to provide the report to law enforcement because doing so will result in a waiver of privilege, allowing potentially damaging information to end up in the hands of third-parties, including possible plaintiffs in the event of a lawsuit.

Recognizing the underlying sources of diverging interests allows both parties to accommodate the needs of the other and thus continue to benefit from a collaborative relationship. A company might be unwilling to share its final forensic report, but may nevertheless be able to give law enforcement the information it needs by identifying relevant systems and logs and other key pieces of digital evidence. These types of compromises allow law enforcement to avoid duplicating the company’s investigative efforts, while minimizing risks of waiving privileged information.

Ultimately, communication between a company and law enforcement is key to maintaining a collaborative relationship after a security incident. It’s to that end that the Department of Justice recommends establishing relationships with law enforcement before an incident. Understanding the ways investigative interests are alike and different is also key to avoiding legal battles over evidence that can occur when interests diverge.

Kim is a partner at Alston & Bird and co-chair of the firm’s Cybersecurity Preparedness & Response Team. Kim is the former director of PwC’s cyber forensic services group and a former senior litigator for the Department of Justice’s Computer Crime and Intellectual Property Section. Kim’s background as an information security professional and lawyer for more than 17 years enhances her practice in managing technical cyber investigations and advising boards and senior executives in matters of cybersecurity and cyber risk.

Justin D. Hemmings is a Research Faculty Member at the Georgia Institute of Technology Scheller College of Business and a Project Attorney at Alston & Bird, where he engages in legal and policy issues and practice concerning privacy and cybersecurity. He and Peter Swire co-authored the 2017 NYU Annual Survey of American Law article “Mutual Legal Assistance in an Era of Globalized Communications: The Analogy to the Visa Waiver Program,” which proposed an approach that was later codified in Section 5 of the Clarifying Lawful Overseas Use of Data Act.